Channels

Services

Dutch government takes control of DigiNotar CA

The Dutch government has "taken over operational management" of DigiNotar, the certificate authority (CA) which was breached in July putting hundreds of bogus SSL certificates into circulation. According to a factsheet from the Dutch government, they are denouncing trust in certificates issued by DigiNotar. It points out that, although there are no Dutch government certificates among the known fraudulent certificates, web site visitors may get warning messages that sites can no longer be trusted and server-to-server communications which use the CA's certificates may be disrupted.

The government issues certificates itself for different purposes and they are signed with "The Government of the Netherlands". For this process, it has used systems that were operated at DigiNotar. Last week, DigiNotar had pointed out that PKIoverheid, the government certificate issuing process, was not affected by the attacks, but new evidence suggests that apparently the intruders did have access to PKIoverheid. Whether the attackers took the opportunity to issue certificates at that point is currently unknown. The Dutch government has not revoked any certificates yet though, as that may cause systems that rely on the certificates for encrypted communications to fail. Instead, it has taken operational management control of DigiNotar and is closely monitoring the systems as it executes a plan to transition to other sources of certificates.